pam_tally with sshd: ssh password-based failures not tally'd
Adam Monsen
haircut at gmail.com
Wed Oct 27 07:42:03 UTC 2004
Hmm, after tinkering a bit, I think I'm able to get sshd/PAM to
actually lock out users after a certain number of failed login
attempts. Here are the relevant lines from my /etc/pam.d/sshd:
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root per_user
The trick is the account component must include 'no_magic_root' and
'per_user'. Don't ask me why. The documentation is poor since per_user
shouldn't be required but is.
Once it "works", the behavior is still pretty strange:
1. user makes three failed login attempts via ssh
2. faillog(8) can be used to indeed report the user's 3 failed logins
at this point, two things can happen (I'll try explaining with pseudocode):
if ( user enters correct password ) {
User's ssh client says: "Read from remote host localhost:
Connection reset by peer
Connection to localhost closed."
} else ( user enters incorrect password ) {
User is again prompted for password after a slight pause.
No indication is given that the account is locked.
}
Ok, fine, so it doesn't let them log in, but because an /incorrect/
password attempt /doesn't/ show any indication that the account is
locked, a cracker could infer they've figured out the password when
the connection unexpectedly drops, then wait until the sysadmin resets
the failed login counts and login successfully!
I know this is a somewhat borderline, difficult-to-exploit case, but
it seems like buggy behavior on the part of pam_tally. I would expect
either branch of the condition to cause PAM/ssh/whatever just spit out
"account disabled" and drop the connection.
Here's my complete, somewhat working /etc/pam.d/sshd:
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root per_user
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
Oh, I should also mention that some strange messages are sent to
syslog after 3 failed attempts and one attempt with the correct
password:
==> /var/log/messages <==
Oct 27 00:15:01 mikey pam_tally[12812]: user embo (505) tally 4, deny 3
==> /var/log/secure <==
Oct 27 00:15:01 mikey sshd[12812]: pam_succeed_if: requirement "uid <
100" not met by user "embo"
Oct 27 00:15:01 mikey sshd[12812]: PAM rejected by account
configuration[7]: Authentication failure
Oct 27 00:15:01 mikey sshd[12812]: Failed password for embo from
127.0.0.1 port 34751 ssh2
Oct 27 00:15:01 mikey sshd[12812]: fatal: monitor_read: unsupported request: 24
Not sure what that stuff means.
Anyone know a simple way to allow, say, a 1 hour timeout before the
user is able to log in again? I'm sure some kinda cron job that uses
faillog(8) is possible, but I thought I'd see if anyone knew a
/really/ easy way first.
Also, anyone know of a PAM module that can increase the time a user
waits to re-enter their password after each unsuccessful login
attempt? If not, then maybe just a simple way to adjust the time a
user waits to re-enter their password after each unsuccessful login
attempt?
On Sat, 16 Oct 2004 10:56:45 -0700, Adam Monsen <haircut at gmail.com> wrote:
> I can't get password-based failures to be recorded using pam_tally.
> Anyone have any PAM/sshd insight? Here's my /etc/pam.d/sshd:
>
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> auth required pam_tally.so
> auth required pam_nologin.so
> account required pam_tally.so deny=3
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session required pam_limits.so
> session optional pam_console.so
>
> /var/log/faillog is never written to when a failed password-based
> login attempt occurs.
>
> # ls -l /var/log/faillog
> -rw-r----- 1 root root 12312 Oct 16 10:31 /var/log/faillog
>
> I tried restarting sshd, but no luck. Nothing helpful about why these
> attempts are not recorded. I'm running Fedora Core 1 with
> openssh-server-3.6.1p2-19.
>
> Do I need PAMAuthenticationViaKbdInt or UseLogin or something else set
> in /etc/ssh/sshd_config? I don't want to mess with these without
> understanding their purpose.
>
> I did get pam_tally to work with 'su' by modifying /etc/pam.d/su in a
> similar way. Anyone know why /etc/pam.d/su uses the following format
> for specifying the location of a PAM module?
> auth required /lib/security/$ISA/pam_tally.so
>
> From what I can tell, /lib/security/ is the default location searched
> for modules, so this seems unnecessary.
>
> --
> Adam Monsen <adamm at wazamatta.com>
> http://adammonsen.com/
>
--
Adam Monsen <adamm at wazamatta.com>
http://adammonsen.com/
More information about the Pam-list
mailing list